SLIDE 1
Lattice-based cryptanalysis
Thijs Laarhoven
mail@thijs.com http://www.thijs.com/
EiPSI seminar
(February 11th, 2019)
O
Lattices
What is a lattice?
Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com - - PowerPoint PPT Presentation
Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com - - PowerPoint PPT Presentation
Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar (February 11th, 2019) Lattices What is a lattice? O Lattices What is a lattice? b 2 b 1 O Lattices What is a lattice? b 2 b 1 O Lattices
SLIDE 2
SLIDE 3
O b1 b2
Lattices
What is a lattice?
SLIDE 4
O b1 b2
Lattices
What is a lattice?
SLIDE 5
O b1 b2 s
Lattices
Shortest Vector Problem (SVP)
SLIDE 6
O b1 b2 s
- s
Lattices
Shortest Vector Problem (SVP)
SLIDE 7
O b1 b2 t
Lattices
Closest Vector Problem (CVP)
SLIDE 8
O b1 b2 t v
Lattices
Closest Vector Problem (CVP)
SLIDE 9
O r1 r2 b1 b2
Lattices
Lattice basis reduction
SLIDE 10
Lattices
Hard lattice problems [LvdPdW12]
CVPγ BDD1/γ USVPγ HSVPγ SVPγ GapSVPγ SBPγ SIVPγ LWEn,q,m,α SISn,q,m,ν 2 * γ √n/log n √n √n √n/2 √γn * * *
SLIDE 11
Lattices
Lattice-based cryptanalysis
Problem: Security of lattice-based cryptographic primitives
- Lattice-based crypto relies on hardness of lattice problems
- Most lattice problems reducible to (approximate) SVP
- State-of-the-art: BKZ basis reduction [Sch87, SE94, ...]
◮ BKZ uses exact SVP algorithm as subroutine ◮ Complexity of BKZ dominated by exact SVP calls
SVP costs =⇒ BKZ costs =⇒ Security estimates =⇒ Parameters Problem: How hard is SVP in high dimensions?
SLIDE 12
Outline
Lattices SVP algorithms Enumeration Sieving SVP hardness Theory Practice NIST submissions Conclusion
SLIDE 13
Outline
Lattices SVP algorithms Enumeration Sieving SVP hardness Theory Practice NIST submissions Conclusion
SLIDE 14
O b1 b2
Enumeration
- 1. Determine possible coefficients of b2
SLIDE 15
O b1 b2
Enumeration
- 1. Determine possible coefficients of b2
SLIDE 16
O b1 b2
Enumeration
- 1. Determine possible coefficients of b2
SLIDE 17
O b1 b2 b2
*
Enumeration
- 1. Determine possible coefficients of b2
SLIDE 18
O b1 b2 b2
*
Enumeration
- 1. Determine possible coefficients of b2
SLIDE 19
O b1 b2 b2
*
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 20
O b1 b2 b2
*
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 21
O b1 b2 b2
*
v1
- v1
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 22
O b1 b2 b2
*
v1
- v1
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 23
O b1 b2 b2
*
v1
- v1
v2 v3
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 24
O b1 b2 b2
*
v1
- v1
v2 v3
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 25
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 26
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 27
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5 v6
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 28
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5 v6
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 29
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5 v6
- v2
- v3
- v4
- v5
- v6
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 30
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5 v6
- v2
- v3
- v4
- v5
- v6
Enumeration
- 2. Find short vectors for each coefficient of b2
SLIDE 31
O b1 b2 b2
*
v1
- v1
v2 v3 v4 v5 v6
- v2
- v3
- v4
- v5
- v6
Enumeration
- 3. Find a shortest vector among all found vectors
SLIDE 32
O b1 b2 b2
*
v1
- v1
v3 v4 v5 v6
- v3
- v4
- v5
- v6
v2
- v2
Enumeration
- 3. Find a shortest vector among all found vectors
SLIDE 33
O b1 b2 b2
*
v1
- v1
v3 v4 v5 v6
- v3
- v4
- v5
- v6
v2
- v2
Enumeration
Overview
SLIDE 34
O b1 b2 b2
*
v1
- v1
v3 v4 v5 v6
- v3
- v4
- v5
- v6
v2
- v2
Enumeration
Overview
Theorem (Fincke–Pohst, Math. of Comp. ’85)
Lattice enumeration solves SVP in time 2O(n2) and space poly(n).
SLIDE 35
O b1 b2 b2
*
v1
- v1
v3 v4 v5 v6
- v3
- v4
- v5
- v6
v2
- v2
Enumeration
Overview
Theorem (Fincke–Pohst, Math. of Comp. ’85)
Lattice enumeration solves SVP in time 2O(n2) and space poly(n). Essentially reduces SVPn (CVPn) to 2O(n) instances of CVPn−1.
SLIDE 36
O b1 b2
Enumeration
Better bases
SLIDE 37
O r1 r2
Enumeration
Better bases
SLIDE 38
O r1 r2
Enumeration
Better bases
SLIDE 39
O r1 r2
Enumeration
Better bases
SLIDE 40
O r1 r2 r2
*
Enumeration
Better bases
SLIDE 41
O r1 r2 r2
*
Enumeration
Better bases
SLIDE 42
O r1 r2 r2
*
Enumeration
Better bases
SLIDE 43
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
SLIDE 44
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
SLIDE 45
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
SLIDE 46
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
SLIDE 47
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
Theorem (Kannan, STOC’83)
Combining enumeration with stronger basis reduction, one can solve SVP in time 2O(nlogn) and space poly(n).
SLIDE 48
O r1 r2 r2
*
v1
- v1
Enumeration
Better bases
Theorem (Kannan, STOC’83)
Combining enumeration with stronger basis reduction, one can solve SVP in time 2O(nlogn) and space poly(n). “Our algorithm reduces an n-dimensional problem to polynomially many (instead of 2O(n)) (n − 1)-dimensional
- problems. [...] The algorithm we propose, first finds a more
- rthogonal basis for a lattice in time 2O(nlogn).”
– Kannan, STOC’83
SLIDE 49
O b1 b2
Enumeration
Pruning the enumeration tree
SLIDE 50
O b1 b2 b2
*
Enumeration
Pruning the enumeration tree
SLIDE 51
O b1 b2 b2
*
Enumeration
Pruning the enumeration tree
SLIDE 52
O b1 b2 b2
*
v1
- v1
v2 v3
- v2
- v3
Enumeration
Pruning the enumeration tree
SLIDE 53
O b1 b2 b2
*
v1
- v1
v3
- v3
v2
- v2
Enumeration
Pruning the enumeration tree
SLIDE 54
Outline
Lattices SVP algorithms Enumeration Sieving SVP hardness Theory Practice NIST submissions Conclusion
SLIDE 55
O
Sieving
- 1. Sample a list L of random lattice vectors
SLIDE 56
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
- 1. Sample a list L of random lattice vectors
SLIDE 57
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
- 2. Collect all short difference vectors
SLIDE 58
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 O
Sieving
- 2. Collect all short difference vectors
SLIDE 59
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v1
Sieving
- 2. Collect all short difference vectors
SLIDE 60
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v2
Sieving
- 2. Collect all short difference vectors
SLIDE 61
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v3
Sieving
- 2. Collect all short difference vectors
SLIDE 62
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v4
Sieving
- 2. Collect all short difference vectors
SLIDE 63
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v5
Sieving
- 2. Collect all short difference vectors
SLIDE 64
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v6
Sieving
- 2. Collect all short difference vectors
SLIDE 65
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v7
Sieving
- 2. Collect all short difference vectors
SLIDE 66
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v8
Sieving
- 2. Collect all short difference vectors
SLIDE 67
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v9
Sieving
- 2. Collect all short difference vectors
SLIDE 68
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v10
Sieving
- 2. Collect all short difference vectors
SLIDE 69
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v11
Sieving
- 2. Collect all short difference vectors
SLIDE 70
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v12
Sieving
- 2. Collect all short difference vectors
SLIDE 71
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v13
Sieving
- 2. Collect all short difference vectors
SLIDE 72
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v14
Sieving
- 2. Collect all short difference vectors
SLIDE 73
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v15
Sieving
- 2. Collect all short difference vectors
SLIDE 74
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
- 2. Collect all short difference vectors
SLIDE 75
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
- 3. Repeat with difference vectors until we find a shortest vector
SLIDE 76
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
- 3. Repeat with difference vectors until we find a shortest vector
SLIDE 77
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9
Sieving
- 3. Repeat with difference vectors until we find a shortest vector
SLIDE 78
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9
Sieving
Overview
SLIDE 79
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9
Sieving
Overview
Heuristic (Nguyen–Vidick, J. Math. Crypt. ’08)
Sieving solves SVP in time (4/3)n+o(n) and space (4/3)n/2+o(n).
SLIDE 80
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9
Sieving
Overview
Heuristic (Nguyen–Vidick, J. Math. Crypt. ’08)
Sieving solves SVP in time (4/3)n+o(n) and space (4/3)n/2+o(n). The list size comes from heuristic packing/saturation arguments, the time complexity is quadratic in the list size.
SLIDE 81
O
Sieving
Near neighbor techniques
SLIDE 82
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 83
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 84
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 85
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 86
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 87
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
Sieving
Near neighbor techniques
SLIDE 88
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v1 v2 v3 v4 v5 v6 v7
Sieving
Near neighbor techniques
SLIDE 89
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 90
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 91
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 92
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 93
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 94
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 95
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 96
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 97
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 98
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 99
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Random hypercones
SLIDE 100
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Randomly rotated cross-polytopes
SLIDE 101
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Randomly rotated cross-polytopes
SLIDE 102
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Randomly rotated cross-polytopes
SLIDE 103
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Randomly rotated cross-polytopes
SLIDE 104
O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16
Sieving
Randomly rotated cross-polytopes
SLIDE 105
Outline
Lattices SVP algorithms Enumeration Sieving SVP hardness Theory Practice NIST submissions Conclusion
SLIDE 106
SVP hardness
Theory (January 2019)
Algorithm log2(Time) log2(Space)
Proven SVP
Enumeration [Poh81, Kan83, ..., MW15, AN17] O(nlogn) O(logn) AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985n ListSieve [MV10, MDB14] 3.199n 1.327n Birthday sieves [PS09, HPS11] 2.465n 1.233n Enumeration/DGS hybrid [CCL17] 2.048n 0.500n Voronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000n Quantum sieve [LMP13, LMP15] 1.799n 1.286n Quantum enum/DGS [CCL17] 1.256n 0.500n Discrete Gaussian sampling [ADRS15, ADS15, AS18] 1.000n 1.000n
Sieving
The Nguyen–Vidick sieve [NV08] 0.415n 0.208n GaussSieve [MV10, ..., IKMT14, BNvdP16, YKYC17] 0.415n 0.208n Triple sieve [BLS16, HK17] 0.396n 0.189n Leveled sieving [WLTB11, ZPH13] 0.3778n 0.283n Overlattice sieve [BGJ14] 0.3774n 0.293n Quantum sieve [LMP13] 0.312n 0.208n
Sieving + NNS
Triple sieve with NNS [HK17, HKL18] 0.359n 0.189n Single filters [DL17, ADH+19] 0.349n 0.246n Hyperplane LSH [Cha02, FBB+14, Laa15, ..., LM18] 0.337n 0.337n Graph-based NNS [EPY99, DCL11, MPLK14, Laa18] 0.327n 0.282n Hypercube LSH [TT07, Laa17] 0.322n 0.322n May–Ozerov NNS [MO15, BGJ15] 0.311n 0.311n Spherical LSH [AINR14, LdW15] 0.297n 0.297n Cross-polytope LSH [TT07, AILRS15, BL16, KW17] 0.297n 0.297n Spherical LSF [BDGL16, MLB17, ALRW17, Chr17] 0.292n 0.292n Quantum NNS sieve [LMP15, Laa16] 0.265n 0.265n
SLIDE 107
SVP hardness
Theory (January 2019)
Algorithm log2(Time) log2(Space)
Proven SVP
Enumeration [Poh81, Kan83, ..., MW15, AN17] O(nlogn) O(logn) AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985n ListSieve [MV10, MDB14] 3.199n 1.327n Birthday sieves [PS09, HPS11] 2.465n 1.233n Enumeration/DGS hybrid [CCL17] 2.048n 0.500n Voronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000n Quantum sieve [LMP13, LMP15] 1.799n 1.286n Quantum enum/DGS [CCL17] 1.256n 0.500n Discrete Gaussian sampling [ADRS15, ADS15, AS18] 1.000n 1.000n
Sieving
The Nguyen–Vidick sieve [NV08] 0.415n 0.208n GaussSieve [MV10, ..., IKMT14, BNvdP16, YKYC17] 0.415n 0.208n Triple sieve [BLS16, HK17] 0.396n 0.189n Leveled sieving [WLTB11, ZPH13] 0.3778n 0.283n Overlattice sieve [BGJ14] 0.3774n 0.293n Quantum sieve [LMP13] 0.312n 0.208n
Sieving + NNS
Triple sieve with NNS [HK17, HKL18] 0.359n 0.189n Single filters [DL17, ADH+19] 0.349n 0.246n Hyperplane LSH [Cha02, FBB+14, Laa15, ..., LM18] 0.337n 0.337n Graph-based NNS [EPY99, DCL11, MPLK14, Laa18] 0.327n 0.282n Hypercube LSH [TT07, Laa17] 0.322n 0.322n May–Ozerov NNS [MO15, BGJ15] 0.311n 0.311n Spherical LSH [AINR14, LdW15] 0.297n 0.297n Cross-polytope LSH [TT07, AILRS15, BL16, KW17] 0.297n 0.297n Spherical LSF [BDGL16, MLB17, ALRW17, Chr17] 0.292n 0.292n Quantum NNS sieve [LMP15, Laa16] 0.265n 0.265n
SLIDE 108
SVP hardness
Practice (July 2017) ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
▼▼ ▼ ▼ ▼ ▼ ▼ ▼▼ ▼ ▼ ▼ ▼ ▼▼▼▼ ▼▼
★ ★★★★★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ■ Enumeration (continuous pruning)
▼ Enumeration (discrete pruning)
★ Sieving
80 100 120 140 160 100 104 106 108 1010 → Lattice dimension → Single core timings (seconds) 1 hour 1 day 1 year 1 century
SLIDE 109
SLIDE 110
SLIDE 111
SVP hardness
Practice (February 2019) ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
▼▼ ▼ ▼ ▼ ▼ ▼ ▼▼ ▼ ▼ ▼ ▼ ▼▼▼▼ ▼▼
★ ★★★★★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★
♢ ♢ ♢ ♢ ♢ ♢♢ ♢ ♢ ♢ ♢♢♢ ♢♢ ♢♢♢♢
■ Enumeration (continuous pruning)
▼ Enumeration (discrete pruning)
★ Sieving (old)
♢ Sieving (new)
80 100 120 140 160 100 104 106 108 1010 → Lattice dimension → Single core timings (seconds) 1 hour 1 day 1 year 1 century
SLIDE 112
SVP hardness
NIST submissions – Round 1 (December 2017)
Title S E O Submitters
CRYSTALS–Dilithium
- Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, Stehlé
CRYSTALS–Kyber
- Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, ...
Ding Key Exchange
- Ding, Takagi, Gao, Wang
DRS
- Plantard, Sipasseuth, Dumondelle, Susilo
(R.)EMBLEM
- Seo, Park, Lee, Kim, Lee
FALCON
- Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, ...
FrodoKEM
- Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, ...
Giophantus
- Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, Ikematsu
HILA5
- Saarinen
KCL
- Zhao, Jin, Gong, Sui
KINDI
- El Bansarkhani
LAC
- Lu, Liu, Jia, Xue, He, Zhang
LIMA
- Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, Peer
Lizard
- Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, ...
LOTUS
- Phong, Hayashi, Aono, Moriai
NewHope
- Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, Stebila
NTRUEncrypt
- Zhang, Chen, Hoffstein, Whyte
NTRU-HRSS-KEM
- Schanck, Hülsing, Rijneveld, Schwabe
NTRU Prime
- Bernstein, Chuengsatiansup, Lange, Van Vredendaal
Odd Manhattan
- Plantard
pqNTRUSign
- Zhang, Chen, Hoffstein, Whyte
qTESLA
- Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, ...
Round2
- Garcia-Morchon, Zhang, Bhattacharya, Rietman, Tolhuizen, Torre-Arce
SABER
- D’Anvers, Karmakar, Roy, Vercauteren
Three Bears
- Hamburg
Titanium
- Steinfeld, Sakzad, Zhao
Totals: 24 4 2 Total: 26 proposals with SVP hardness estimates *Not included in the overview: Compact LWE, Mersenne, Ramstake, ...
SLIDE 113
SVP hardness
NIST submissions – Round 1 (merges)
Title S E O Submitters
CRYSTALS–Dilithium
- Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, Stehlé
CRYSTALS–Kyber
- Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, ...
Ding Key Exchange
- Ding, Takagi, Gao, Wang
DRS
- Plantard, Sipasseuth, Dumondelle, Susilo
(R.)EMBLEM
- Seo, Park, Lee, Kim, Lee
FALCON
- Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, ...
FrodoKEM
- Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, ...
Giophantus
- Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, Ikematsu
HILA5
- Saarinen
KCL
- Zhao, Jin, Gong, Sui
KINDI
- El Bansarkhani
LAC
- Lu, Liu, Jia, Xue, He, Zhang
LIMA
- Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, Peer
Lizard
- Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, ...
LOTUS
- Phong, Hayashi, Aono, Moriai
NewHope
- Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, Stebila
NTRUEncrypt
- Zhang, Chen, Hoffstein, Whyte
NTRU-HRSS-KEM
- Schanck, Hülsing, Rijneveld, Schwabe
NTRU Prime
- Bernstein, Chuengsatiansup, Lange, Van Vredendaal
Odd Manhattan
- Plantard
pqNTRUSign
- Zhang, Chen, Hoffstein, Whyte
qTESLA
- Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, ...
Round2
- Garcia-Morchon, Zhang, Bhattacharya, Rietman, Tolhuizen, Torre-Arce
SABER
- D’Anvers, Karmakar, Roy, Vercauteren
Three Bears
- Hamburg
Titanium
- Steinfeld, Sakzad, Zhao
Totals: 24 4 2 Total: 26 proposals with SVP hardness estimates *Not included in the overview: Compact LWE, Mersenne, Ramstake, ...
SLIDE 114
SVP hardness
NIST submissions – Round 1 (merges)
Title S E O Submitters
CRYSTALS–Dilithium
- Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, Stehlé
CRYSTALS–Kyber
- Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, ...
Ding Key Exchange
- Ding, Takagi, Gao, Wang
DRS
- Plantard, Sipasseuth, Dumondelle, Susilo
(R.)EMBLEM
- Seo, Park, Lee, Kim, Lee
FALCON
- Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, ...
FrodoKEM
- Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, ...
Giophantus
- Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, Ikematsu
KCL
- Zhao, Jin, Gong, Sui
KINDI
- El Bansarkhani
LAC
- Lu, Liu, Jia, Xue, He, Zhang
LIMA
- Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, Peer
Lizard
- Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, ...
LOTUS
- Phong, Hayashi, Aono, Moriai
NewHope
- Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, Stebila
NTRU
- Zhang, Chen, Hoffstein, Hülsing, Rijneveld, Schanck, Schwabe, Whyte
NTRU Prime
- Bernstein, Chuengsatiansup, Lange, Van Vredendaal
Odd Manhattan
- Plantard
pqNTRUSign
- Zhang, Chen, Hoffstein, Whyte
qTESLA
- Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, ...
Round5
- Garcia-Morchon, Saarinen, Zhang, Bhattacharya, Rietman, Tolhuizen, ...
SABER
- D’Anvers, Karmakar, Roy, Vercauteren
Three Bears
- Hamburg
Titanium
- Steinfeld, Sakzad, Zhao
Totals: 20 4 2 Total: 24 proposals with SVP hardness estimates *Not included in the overview: Compact LWE, Mersenne, Ramstake, ...
SLIDE 115
SVP hardness
NIST submissions – Round 2 (February 2019)
Title S E O Submitters
CRYSTALS–Dilithium
- Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, Stehlé
CRYSTALS–Kyber
- Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, ...
Ding Key Exchange
- Ding, Takagi, Gao, Wang
DRS
- Plantard, Sipasseuth, Dumondelle, Susilo
(R.)EMBLEM
- Seo, Park, Lee, Kim, Lee
FALCON
- Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, ...
FrodoKEM
- Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, ...
Giophantus
- Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, Ikematsu
KCL
- Zhao, Jin, Gong, Sui
KINDI
- El Bansarkhani
LAC
- Lu, Liu, Jia, Xue, He, Zhang
LIMA
- Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, Peer
Lizard
- Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, ...
LOTUS
- Phong, Hayashi, Aono, Moriai
NewHope
- Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, Stebila
NTRU
- Zhang, Chen, Hoffstein, Hülsing, Rijneveld, Schanck, Schwabe, Whyte
NTRU Prime
- Bernstein, Chuengsatiansup, Lange, Van Vredendaal
Odd Manhattan
- Plantard
pqNTRUSign
- Zhang, Chen, Hoffstein, Whyte
qTESLA
- Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, ...
Round5
- Garcia-Morchon, Saarinen, Zhang, Bhattacharya, Rietman, Tolhuizen, ...
SABER
- D’Anvers, Karmakar, Roy, Vercauteren
Three Bears
- Hamburg
Titanium
- Steinfeld, Sakzad, Zhao
Totals: 11 2 Total: 12 proposals with SVP hardness estimates *Not included in the overview: Compact LWE, Mersenne, Ramstake, ...
SLIDE 116
SLIDE 117
SLIDE 118
SVP hardness
NIST submissions
Most common hardness estimates:
- Complexity of BKZ(β) ≥ Complexity of SVP(β)
- Ignore space complexity, ignore o(n) in time complexity
- Classical sieving: 20.292n time [BDGL16]
- Quantum sieving: 20.265n time [Laa16]
- “Paranoid bound”: 20.208n time
SLIDE 119
Conclusion
Lattice-based cryptography
- Security relies on hardness of finding short vectors
- State-of-the-art approach: BKZ with fast SVP subroutine
- Cost of BKZ dominated by cost of exact SVP algorithm
SVP algorithms
- Lattice enumeration: Brute-force approach
- Lattice sieving: Memory-intensive approach
SVP hardness
- Theory: Sieving superior in high dimensions
- Practice: Sieving superior in moderate/high dimensions
- Hardness estimates: Commonly based on sieving
SLIDE 120